Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
06/12/2023, 16:41
Static task
static1
Behavioral task
behavioral1
Sample
clientfmUx.exe
Resource
win7-20231201-en
Behavioral task
behavioral2
Sample
clientfmUx.exe
Resource
win10v2004-20231130-en
General
-
Target
clientfmUx.exe
-
Size
516KB
-
MD5
38a9b7e6b93904b572e76cad2f99353c
-
SHA1
20bd0ea13cbc76cdbb9d002a457e543d02e9d500
-
SHA256
06b9b10a15c0b2856620dd4469c8a976bfbc42e506747a04a763dbeeaf1ecb79
-
SHA512
b381687ef7f9f32af5b254b33bfffc287f675ba06d990df011a460c4f76c81d76546203af6bf0fc412e328d5e013e3997db56b3454002edc71ab6357e4211683
-
SSDEEP
12288:1oPHzIcgTRo9RvHBQAC76LUkd0bpaMwdHqUz:SPHM1ohP0XAx
Malware Config
Extracted
remcos
RemoteHost
retghrtgwtrgtg.bounceme.net:3839
listpoints.click:7020
datastream.myvnc.com:5225
gservicese.com:2718
center.onthewifi.com:8118
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
explorer.exe
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-OPX7KW
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3284 set thread context of 4208 3284 clientfmUx.exe 88 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3284 clientfmUx.exe 3284 clientfmUx.exe 4208 cmd.exe 4208 cmd.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 3284 clientfmUx.exe 4208 cmd.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3284 clientfmUx.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3284 wrote to memory of 4208 3284 clientfmUx.exe 88 PID 3284 wrote to memory of 4208 3284 clientfmUx.exe 88 PID 3284 wrote to memory of 4208 3284 clientfmUx.exe 88 PID 3284 wrote to memory of 4208 3284 clientfmUx.exe 88 PID 4208 wrote to memory of 2452 4208 cmd.exe 93 PID 4208 wrote to memory of 2452 4208 cmd.exe 93 PID 4208 wrote to memory of 2452 4208 cmd.exe 93 PID 4208 wrote to memory of 2452 4208 cmd.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\clientfmUx.exe"C:\Users\Admin\AppData\Local\Temp\clientfmUx.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵PID:2452
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD568b28f198fd237612c4bec43eb1cf994
SHA11d77229ec0651946d2937aa5b368877fca56575b
SHA256636b6296acd0ca016c81a1e25e75244335fda2755a0b986bbdce918d69a6e3a9
SHA512a45a73c44a62964128e25a4c91cd018baf61d65b192f868f4030782fe5de1549859fab1cb0a5371b41578c3788384430cee264c4fcefcb8b923d3eeccc9d0f5f